Written by: jsai@Jinse Finance & Claude
Bear Markets See Frequent Thefts!
On April 1, 2026, Drift Protocol, one of the largest DEX protocols in the Solana ecosystem, suffered a hacker attack, losing over $200 million in less than an hour.
Although it happened on April 1st, this is not an April Fool's joke.
I. Who is Drift?
Drift Protocol is one of the most important decentralized derivatives exchanges in the Solana ecosystem, with perpetual contract trading (Perp) as its core business, supporting multi-asset collateralization and deposit interest-bearing. Before the incident, Drift's total value locked (TVL) exceeded $550 million, with a daily perpetual contract trading volume of nearly $70 million, making it one of the core infrastructures of the Solana on-chain DeFi ecosystem.
However, on April 1, 2026, this vault worth hundreds of millions was almost emptied in less than an hour.
II. Event Summary: A Carefully Planned Liquidation
Planning Phase (8 days ago)
On-chain researchers discovered that the attacker's wallet (HkGz4KmoZ7Zmk7HN6ndJ31UJ1qZ2qgwQxgVqQwovpZES) was created eight days before the attack and obtained initial funds through the NEAR protocol's Intents cross-chain system. This address remained silent, awaiting its opportunity. The attacker also sent test transactions worth approximately $2.52 to Drift Vault to verify its control over the contract.
Attack Occurred (16:00 UTC, April 1st; 00:00 Beijing Time, April 2nd)
The attack officially began at 16:00 UTC.
The first transaction transferred approximately $155 million worth of JLP tokens (Jupiter liquidity pool credentials) from the Drift vault. Subsequently, the attackers, through approximately 11 coordinated transactions within about an hour, withdrew all assets from multiple vaults. The composition of the stolen assets is staggering: including 41.72 million JLP (approximately $155.6 million), 51.616 million USDC (approximately $51.62 million), 125,000 wSOL (approximately $10.45 million), 164,349 cbBTC (approximately $11.29 million), and other tokens. Within minutes, the assets in one of the Drift vaults plummeted from $309 million to $41 million. Money Laundering and Asset Transfer The attackers did not leave any funds behind. On-chain data shows that the hackers deposited SOL tokens into the Hyperliquid and Binance exchanges and purchased over $82 million worth of Ethereum (ETH). Some funds were transferred to the Ethereum network via the Wormhole cross-chain bridge and then distributed to multiple addresses. The attackers also minted approximately $4 million worth of USDC through cross-chain methods, and this portion of stablecoins is currently frozen by Circle on the Ethereum network.
Protocol Response
The Drift team issued a warning on X at approximately 3:00 AM Beijing time: "Drift Protocol is under active attack. Deposits and withdrawals have been suspended. We are coordinating with multiple security companies, cross-chain bridges, and exchanges to control the situation. This is not an April Fool's joke."
Given that the incident occurred on April 1st, the Drift team specifically emphasized "this is not an April Fool's joke"—this statement itself encapsulates the absurdity and tragedy of this incident.
III. Root Cause of the Theft: Not a Smart Contract Vulnerability, but Human Error
The official investigation is still ongoing, but on-chain researchers and security experts have pointed to the most likely attack vector: leakage of the administrator's private key.
The official investigation is still ongoing, but on-chain researchers and security experts have pointed to the most likely attack vector: leakage of the administrator's private key.
However, whether this private key leak was due to hacking or insider theft remains a big question mark. The founder of blockchain security company PeckShield told Decrypt that the attack relied on gaining privileged access to the Drift protocol. "The administrator key behind Drift was definitely leaked or compromised in some way," he said. In other words, it was a human error, not a technical smart contract vulnerability. Yu Xian, founder of SlowMist, analyzed the Drift theft, pointing out that a week before the attack, Drift adjusted its multi-signature mechanism to "2/5" (1 old signer + 4 new signers) and did not set a timelock. The attackers then gained administrator privileges, forged CVT tokens, manipulated oracles, disabled security mechanisms, and transferred high-value assets from the liquidity pools. Researchers noted that after gaining administrator privileges, the hackers locked the Drift team out by modifying the administrator key, preventing them from stopping the ongoing attack and thus completing the liquidation of multiple liquidity pools. More seriously, subsequent disclosures revealed that Drift Protocol lacked security audits from mainstream institutions like CertiK, and its governance authority design also had obvious centralized vulnerabilities. While audits themselves cannot guarantee absolute safety, they help eliminate obvious attack points. IV. Which Protocols and Ecosystems Were Affected? Direct Impact Several publicly listed Solana treasury companies, including Forward Industries and DeFi Development Corp, have stated that their treasuries were not affected by this incident. However, due to Drift's deep integration into the Solana DeFi ecosystem, the chain reaction spread rapidly. Fifteen protocols, including Jupiter, Perena, Project 0, Exponent, Carrot, Ranger, PiggyBank, Reflect, Project 0, Elemental, Neutral Trade, Pyra, Fuse, Neutral Trade, and XPlace, confirmed that they were affected to varying degrees by the Drift theft.
Token Market
Drift's native governance token, DRIFT, plummeted over 28% after the incident, trading at approximately $0.049. This token has fallen over 98% from its all-time high of $2.60 in November 2024.
Solana's native token, SOL, also fell within hours of the incident, hitting a low of $83.82 before slightly recovering.
Cross-Protocol Risk
Since the attacker holds a large amount of FARTCOIN, approximately 2.5% of the total circulating supply, a potential sell-off could impact the token's price. The large influx of stolen wBTC and ETH, among other packaged assets, into the market could also put pressure on related protocols to de-peg.
Infrastructure Layer Response
Solana's ecosystem wallet, Phantom, has issued warnings to users attempting to access the Drift Protocol. Circle, after being notified, has also frozen some USDC that had been transferred to Ethereum.
V. Historical Context: One of the Biggest Heists in the Solana Ecosystem
According to Rekt's on-chain hacking incident rankings, if the scale of the damage from this attack is ultimately confirmed, it will become one of the largest attacks in the history of the Solana ecosystem, second only to the $326 million Wormhole cross-chain bridge hack in 2022.
In a horizontal comparison, even compared with the large-scale DeFi security incidents in recent years, this Drift incident surpasses the $223 million loss of Cetus Protocol in the summer of 2025, becoming one of the most serious Web3 security incidents in the past two years.
VI. Profound Implications for DeFi Security
1. The Centralized Achilles' Heel of "Decentralized" Protocols
The most profound irony of this attack is that Drift, under the banner of "decentralization," collapsed due to a centrally held administrator private key. If core control remains concentrated in the hands of a single key holder, even the most sophisticated on-chain code is just a futile defense.
Administrator privileges should be distributed through multisig or timelock mechanisms; this is not a recommendation, but a minimum standard. 2. The attacker's patience far exceeded the team's vigilance. The attacker created a wallet eight days before launching the attack and conducted small test transactions to verify their control. The entire premeditation process lasted more than a week, yet the protocol team's monitoring system did not trigger any alerts. This means that traditional "post-attack response" security systems are almost ineffective against highly premeditated attackers—real-time anomaly detection and on-chain behavior monitoring must be infrastructure, not optional. 3. The higher the TVL, the more likely it is to be a target. Before the attack, Drift, with a TVL of $550 million, became one of the most conspicuous targets on the Solana chain. This is an unavoidable structural paradox between high returns and high risks in DeFi—the more concentrated the funds, the stronger the incentive for attackers. Protocol design should introduce a fund distribution mechanism to reduce the maximum loss limit after a single point of attack is breached. 4. The Lack of Security Audit is an Undeniable Negligence This attack exposed the fatal flaw of Drift Protocol's lack of auditing by mainstream security organizations. With a TVL exceeding $500 million, releasing a protocol to users without adequate auditing is essentially a risk transfer. Auditing is not a marketing gimmick; it is a basic threshold for being responsible for user funds. 5. Cross-Chain Bridges and DEX Aggregators are Highways for Fund Escape After the attack, the stolen funds were quickly exchanged on-chain through the Jupiter aggregator and transferred to Ethereum via cross-chain bridges. This path has been repeatedly used by hackers—while infrastructure like Wormhole and Jupiter improves capital efficiency, it also facilitates the rapid flow of illicit funds. How to introduce compliance filtering mechanisms at the infrastructure layer without compromising decentralization is a challenge the industry needs to address collectively. 6. Emergency Suspension Mechanism Should Be Standard, Not a Luxury In this incident, the Drift team was unable to intervene in time to prevent the attack from escalating because the administrator key was replaced and multisignature did not have a time lock. This illustrates that the protocol's emergency response capability must be independent of the administrator key—for example, through a circuit breaker mechanism built into the smart contract layer, once a threshold (an extremely large withdrawal within a unit of time) is triggered, the protocol operation is automatically suspended without any manual intervention. VII. Epilogue Today is April 1, 2026, and the Drift team emphasized three times in its announcement that "this is not an April Fool's joke." In a sense, the real joke is not the coincidence of the date, but the fact that a protocol managing $550 million in user funds was compromised by a leaked private key; a decentralized system that prides itself on being "trustless" fell victim to the oldest and most human mistake—key management negligence. The DeFi narrative has never changed: code is law, on-chain transparency, and user autonomy. But any narrative depends on people; people are the key to its success.
JinseFinance
Huang Bo
Sanya